Bug#416359: nfs-kernel-server: NFSv4 mounts become inaccessible on their own

Juha Jäykkä Mon, 26 Mar 2007 23:28:49 -0800

Package: nfs-kernel-server
Severity: important


We have an environment with some NFSv4 mounts (of the type sec/krb5). These
work like a charm, UNTIL intermittently the mounts become inaccessible.
Sometimes the mounts only become read-only, sometimes totally inaccessible.
This can happen during the night or during the day, so at least it is not caused
by users' KRB5 tickets exipiring.

At the point when this happens, /var/log/syslog on the client says (repeatedly, 
at 
exactly a minute intervals):

Mar 27 10:03:05 noether rpc.gssd[12342]: handling krb5 upcall 
Mar 27 10:03:05 noether rpc.gssd[12342]: Using keytab file '/etc/krb5.keytab' 
Mar 27 10:03:05 noether rpc.gssd[12342]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_TFY.UTU.F
I' are good until 1175000999 
Mar 27 10:03:05 noether rpc.gssd[12342]: using 
FILE:/tmp/krb5cc_machine_TFY.UTU.FI as credentials ca
che for machine creds 
Mar 27 10:03:05 noether rpc.gssd[12342]: using environment variable to select 
krb5 ccache FILE:/tmp/
krb5cc_machine_TFY.UTU.FI 
Mar 27 10:03:05 noether rpc.gssd[12342]: creating context using fsuid 0 
(save_uid 0) 
Mar 27 10:03:05 noether rpc.gssd[12342]: creating tcp client for server 
kelvin.tfy.utu.fi 
Mar 27 10:03:05 noether rpc.gssd[12342]: creating context with server [EMAIL 
PROTECTED] 
Mar 27 10:03:05 noether rpc.gssd[12342]: DEBUG: serialize_krb5_ctx: lucid 
version! 
Mar 27 10:03:05 noether rpc.gssd[12342]: prepare_krb5_rfc1964_buffer: 
serializing keys with enctype 
4 and length 8 
Mar 27 10:03:05 noether rpc.gssd[12342]: doing downcall 

So at least the client hosts' ticket seems ok. The server syslog is as follows. 
I assume some of the
cryptic looking data was live KRB5 tickets, I removed them just in case they 
contain something
sensitive; krb5 is not supposed to send anything sensitive over the wire, but I 
do not know what
rpc.svcgssd logs - it could be logging the server's ticket, for example. 
Besides it makes ugly
reading. =) I'll send those if necessary and after checking what rpc.svcgssd 
actually logs.

Mar 27 10:03:05 kelvin rpc.svcgssd[24454]: leaving poll 
Mar 27 10:03:05 kelvin rpc.svcgssd[24454]: handling null request 
Mar 27 10:03:05 kelvin rpc.svcgssd[24454]: readline: read 1044 chars into 
buffer of size 2048: \x \x(I CUT HERE)
Mar 27 10:03:05 kelvin rpc.svcgssd[24454]: in_handle:  
Mar 27 10:03:05 kelvin rpc.svcgssd[24454]: length 0 
Mar 27 10:03:05 kelvin rpc.svcgssd[24454]:  
Mar 27 10:03:05 kelvin rpc.svcgssd[24454]: in_tok:  
Mar 27 10:03:05 kelvin rpc.svcgssd[24454]: length 519 
Mar 27 10:03:05 kelvin rpc.svcgssd[24454]:  
Mar 27 10:03:05 kelvin rpc.svcgssd[24454]:   0000: (I CUT HERE TOO, 519 bytes 
were logged initially)
Mar 27 10:03:05 kelvin rpc.svcgssd[24454]: sname = nfs/[EMAIL PROTECTED] 
Mar 27 10:03:05 kelvin rpc.svcgssd[24454]: DEBUG: serialize_krb5_ctx: lucid 
version! 
Mar 27 10:03:05 kelvin rpc.svcgssd[24454]: prepare_krb5_rfc1964_buffer: 
serializing keys with enctype 4 and le
ngth 8 
Mar 27 10:03:05 kelvin rpc.svcgssd[24454]: doing downcall 
Mar 27 10:03:05 kelvin rpc.svcgssd[24454]: \xb8010000 2147483647 -1 -1 0 krb5 
\x(CUT THE DATA)
Mar 27 10:03:05 kelvin rpc.svcgssd[24454]: sending null reply 
Mar 27 10:03:05 kelvin rpc.svcgssd[24454]: writing message: \x \x(CUT THE DATA)
Mar 27 10:03:05 kelvin rpc.svcgssd[24454]: finished handling null request 
Mar 27 10:03:05 kelvin rpc.svcgssd[24454]: entering poll 

The user's ticket cache says:

Server: krbtgt/[EMAIL PROTECTED]
Ticket etype: aes256-cts-hmac-sha1-96, kvno 9
Auth time:  Mar 27 09:09:26 2007
End time:   Mar 27 19:09:26 2007
Renew till: Apr  6 09:09:26 2007
Ticket flags: forwardable, renewable, initial
Addresses: IPv4:130.232.104.248

Server: afs/[EMAIL PROTECTED]
Ticket etype: des-cbc-crc, kvno 4
Auth time:  Mar 27 09:09:26 2007
Start time: Mar 27 09:09:27 2007
End time:   Mar 27 19:09:26 2007
Ticket flags: transited-policy-checked
Addresses: IPv4:130.232.104.248

Server: nfs/[EMAIL PROTECTED]
Ticket etype: des-cbc-crc, kvno 1
Auth time:  Mar 27 09:09:26 2007
Start time: Mar 27 09:09:52 2007
End time:   Mar 27 19:09:26 2007
Renew till: Apr  3 09:09:26 2007
Ticket flags: forwardable, renewable, transited-policy-checked
Addresses: IPv4:130.232.104.248

Client host's cache:

Server: krbtgt/[EMAIL PROTECTED]
Ticket etype: aes256-cts-hmac-sha1-96, kvno 9
Auth time:  Mar 26 16:09:59 2007
End time:   Mar 27 16:09:59 2007
Renew till: Apr  2 16:09:59 2007
Ticket flags: forwardable, proxiable, renewable, initial
Addresses: 

Server: nfs/[EMAIL PROTECTED]
Ticket etype: des-cbc-crc, kvno 1
Auth time:  Mar 26 16:09:59 2007
End time:   Mar 27 16:09:59 2007
Renew till: Apr  2 16:09:59 2007
Ticket flags: forwardable, proxiable, renewable, transited-policy-checked
Addresses: 

And server host's cache:

Server: krbtgt/[EMAIL PROTECTED]
Ticket etype: aes256-cts-hmac-sha1-96, kvno 9
Auth time:  Mar 26 23:42:47 2007
End time:   Mar 27 23:42:47 2007
Renew till: Apr  2 23:42:47 2007
Ticket flags: forwardable, proxiable, renewable, initial
Addresses: 

As you can see, all are valid.

-Juha


-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17+juhaj+v1.0
Locale: LANG=en_GB.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#416359: nfs-kernel-server: NFSv4 mounts become inaccessible on their own

Reply via email to